Sign uboot_env with AVB
The partition determines the behavior of u-boot, thus it has to be
verified before u-boot uses it. To make it possible, we sign uboot_env
using AVB. Hash footer is appended to the partition and it is registered
as a chained partition to the vbmeta partition, which is in the same
disk as uboot_env and bootconfig partitions are in.
Bug: 216304872
Test: run microdroid
Change-Id: Ida6353aff80aec485d73344eba18608a6bc659f8
diff --git a/apex/sign_virt_apex.py b/apex/sign_virt_apex.py
index 9a0fe1a..8fe3403 100644
--- a/apex/sign_virt_apex.py
+++ b/apex/sign_virt_apex.py
@@ -294,6 +294,8 @@
input_dir, 'etc', 'microdroid_bootconfig.app_debuggable')
bootconfig_full_debuggable = os.path.join(
input_dir, 'etc', 'microdroid_bootconfig.full_debuggable')
+ uboot_env_img = os.path.join(
+ input_dir, 'etc', 'uboot_env.img')
# Key(pubkey) for bootloader should match with the one used to make VBmeta below
# while it's okay to use different keys for other image files.
@@ -330,17 +332,21 @@
MakeVbmetaImage(args, key, vbmeta_img, images=[
boot_img, vendor_boot_img, init_boot_img, system_a_img, vendor_a_img])
- # Re-sign bootconfigs with the same key
+ # Re-sign bootconfigs and the uboot_env with the same key
bootconfig_sign_key = key
AddHashFooter(args, bootconfig_sign_key, bootconfig_normal)
AddHashFooter(args, bootconfig_sign_key, bootconfig_app_debuggable)
AddHashFooter(args, bootconfig_sign_key, bootconfig_full_debuggable)
+ AddHashFooter(args, bootconfig_sign_key, uboot_env_img)
- # Re-sign vbmeta_bootconfig with a chained_partition to "bootconfig"
- # Note that, for now, `key` and `bootconfig_sign_key` are the same, but technically they
- # can be different. Vbmeta records pubkeys which signed chained partitions.
+ # Re-sign vbmeta_bootconfig with chained_partitions to "bootconfig" and
+ # "uboot_env". Note that, for now, `key` and `bootconfig_sign_key` are the
+ # same, but technically they can be different. Vbmeta records pubkeys which
+ # signed chained partitions.
MakeVbmetaImage(args, key, vbmeta_bootconfig_img, chained_partitions={
- 'bootconfig': bootconfig_sign_key})
+ 'bootconfig': bootconfig_sign_key,
+ 'uboot_env': bootconfig_sign_key,
+ })
def VerifyVirtApex(args):
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index e078108..29175a4 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -355,6 +355,10 @@
name: "bootconfig",
private_key: ":microdroid_sign_key",
},
+ {
+ name: "uboot_env",
+ private_key: ":microdroid_sign_key",
+ },
],
}
@@ -531,18 +535,42 @@
genrule {
name: "microdroid_uboot_env_gen",
- tools: ["mkenvimage_host"],
- srcs: ["uboot-env.txt"],
+ tools: [
+ "mkenvimage_host",
+ "avbtool",
+ ],
+ srcs: [
+ "uboot-env.txt",
+ ":microdroid_sign_key",
+ ],
out: ["output.img"],
- cmd: "$(location mkenvimage_host) -s 4096 -o $(out) $(in)",
+ cmd: "$(location mkenvimage_host) -s 4096 -o $(out) $(location uboot-env.txt) && " +
+ "$(location avbtool) add_hash_footer " +
+ "--algorithm SHA256_RSA4096 " +
+ "--partition_name uboot_env " +
+ "--key $(location :microdroid_sign_key) " +
+ "--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " +
+ "--image $(out)",
}
genrule {
name: "microdroid_uboot_env_gen_x86_64",
- tools: ["mkenvimage_host"],
- srcs: ["uboot-env-x86_64.txt"],
+ tools: [
+ "mkenvimage_host",
+ "avbtool",
+ ],
+ srcs: [
+ "uboot-env-x86_64.txt",
+ ":microdroid_sign_key",
+ ],
out: ["output.img"],
- cmd: "$(location mkenvimage_host) -s 4096 -o $(out) $(in)",
+ cmd: "$(location mkenvimage_host) -s 4096 -o $(out) $(location uboot-env-x86_64.txt) && " +
+ "$(location avbtool) add_hash_footer " +
+ "--algorithm SHA256_RSA4096 " +
+ "--partition_name uboot_env " +
+ "--key $(location :microdroid_sign_key) " +
+ "--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " +
+ "--image $(out)",
}
// Note that keys can be different for filesystem images even though we're using the same key